Santiago Lopez – Ethical Hacker

On March 1, 2019, HackerOne, a company that offers rewards (“bounties”) for hackers to make companies more cyber secure announced that Santiago Lopez, a 19 year old from Argentina, became the first hacker to surpass $1 million dollars in bug bounty rewards from the platform.

Lopez who is a 100% self taught, learned to hack by watching YouTube videos and reading blogs, and was inspired to become a hacker by watching the 1995 movie Hackers.

Initially Lopez wasn’t interested in money but then in 2015 he came across HackerOne and thus began his career as an ethical (or white hat) hacker. His first bounty was worth $50. To date his largest bounty was $9,000 for a vulnerability that would allow a remote takeover.

By the time Lopez had made a million dollars he had only been coding for four years. At the time of writing [September 2019] Lopez has reported over 1,900 security flaws.

Lopez prefers to hack in the afternoon and night and his favorite attack vector is Insecure Direct Object Reference or IDOR, which he says are “very easy …. to find” and are high paying bounties.

An IDOR is described by CodeX as “when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. . . . ” This can mean something as simple as exposing a database ID or user name in the query string of a URL like http://somesite/myinvoices?invoice=12345 or http://bigbank/userids?userid=johndoe.

Lopez’s user name on the platform is @try_to_hack, where you can follow his work. Lopez has acquired bounties from companies as diverse as Twitter, Verizon, WordPress as well as many other government and private institutions.

On the About page of HackerOne’s website it describes itself thusly: “Our platform is the industry standard for hacker-powered security. We partner with the global hacker community to surface the most relevant security issues of our customers before they can be exploited by criminals.”

When HackerOne announced that Lopez had become the first bounty millionaire, their CEO Marten Mickos said, “The entire HackerOne community stands in awe of Santiago’s work.”

Currently, Lopez owns two cars, a Peugeot RCZ and a Mini Cooper and lives in an exclusive beach house outside of Buenos Aires, which is the most expensive rental area on the Argentinian coast.

He believes he will continue to hack for the rest of his life.

Interesting Facts:

Lopez chose the handle @try_to_hack to inspire himself to work harder.

Lopez sees hacking like a normal job and works 6-7 hours a day.

In one year Lopez earned 40 times the average salary of an Argentinean worker in the software field.